Unconditional optimality of Gaussian attacks against continuous-variable QKD 



Raul Garcia-Patron 1 and Nicolas J. Cerf 1 
1 QuIC, Ecole Poly technique, CP 165, Universite Libre de Bruxelles, 1050 Bruxelles, Belgium 

A fully general approach to the security analysis of continuous- variable quantum key distribution 
(CV-QKD) is presented. Provided that the quantum channel is estimated via the covariance matrix 
of the quadratures, Gaussian attacks are shown to be optimal against all eavesdropping strategies, 
including collective and coherent attacks. The proof is made strikingly simple by combining a phys- 
ical model of measurement, an entanglement-based description of CV-QKD, and a recent powerful 
result on the extremality of Gaussian states [Phys. Rev. Lett. 96, 080502 (2006)]. 



PACS numbers: 03.67.Dd, 89.70.+C, 42.50.-p 



\o ■ 
o : 
o . 

(N ■ 

3 ' 
<■ 

m ! 



> : 

(N . 

m ■ 
o ■ 
oo : 

o . 
\o . 

o : 

^ ■ 

9 L,: 
^— > ■ 

c ■ 

=5 

cr 



X 



Continuous-variables quantum information [jj has at- 
tracted a rapidly increasing interest over the past few 
years. Several QKD schemes based on a Gaussian mod- 
ulation of coherent states of light combined with homo- 
dyne or heterodyne detection have been proposed 0, Q 
and experimentally demonstrated 0, . These protocols 
have the advantage of being based on standard optical 
telecom components and thereby of working at high rep- 
etition rates compared to the schemes based on single- 
photon detectors. The first security proof of CV-QKD 
was restricted to Gaussian individuals attacks |2, LJ. U- ll| ■ 
In such an attack, the eavesdropper (Eve) is assumed to 
interact individually - according to a Gaussian map - with 
each of the signal pulses sent over the line, and then to 
perform a Gaussian (homodyne or heterodyne) measure- 
ment on her probe after the basis information (if any) 
is disclosed but before the full classical post-processing. 
Later on, it was shown that non-Gaussian individual at- 
tacks cannot beat Gaussian attacks \J\, so that studying 
the security against Gaussian individual attacks is quite 
justified. This proof extends to the case where Eve at- 
tacks finite-size blocks of pulses, but does not cover the 
important class of collective attacks, where Eve jointly 
measures all her probes (each having interacted with a 
signal pulse) after the classical post-processing has taken 
place |g, |3, |lfj . The security versus Gaussian collective 
attacks was recently studied in [ill flij ] , but a definitive 
proof of the optimality of Gaussian attacks was missing. 

In this Letter, we prove that the optimal collective 
attack reduces to a Gaussian attack that is completely 
characterized by the covariance matrix of the quadra- 
tures observed by the emitter (Alice) and receiver (Bob) . 
This optimality is probably even stronger in view of the 
recent result that the most general attacks, namely co- 
herent attacks (where Eve coherently interacts with all 
signal pulses and performs a joint measurement after the 
classical post-processing) , cannot outperform collective 
attacks implying that it is sufficient to check the 

security of QKD against collective attacks. 

One-way QKD protocols with Gaussian continuous 
variables are divided in two steps, a quantum commu- 
nication part followed by a classical post-processing. In 



the quantum part, Alice sends either a displaced squeezed 
state encoding a random Gaussian variable or a coher- 
ent state encoding two Gaussian variables. Then, Bob 
performs either homodyne (active basis-choice) or het- 
erodyne measurement (no basis-choice) on the received 
states (not necessarily Gaussian) in order to decode Al- 
ice's variable. Once Alice and Bob have collected a suf- 
ficiently large list of correlated data, they proceed with 
the classical post-processing. Unless Alice sent coherent 
states and Bob did heterodyne measurement, they first 
apply a sifting, where they compare the chosen encoding 
and measurement quadratures (x or p) and keep only the 
values for which the quadratures match. Then, they ap- 
ply parameter estimation, i.e., they calculate the covari- 
ance matrix jab of their correlated variables from a ran- 
domly chosen sample of their data. The optimal attack 
being Gaussian (as we will prove below) , jab completely 
characterizes the channel as the first-order moments of 
the quadratures do not play any role. Finally, they ap- 
ply one-way error correction and privacy amplification to 
distill a secret key. The error correction can be done in 
two ways: either direct reconciliation (DR), where Bob 
corrects his data to Alice's ones, or reverse reconciliation 
(RR), where Alice's and Bob's roles are interchanged 0]. 

Physical model of measurement. Assume Alice and 
Bob share a quantum state pab and Alice then makes 
a von Neumann measurement on system A, obtaining 
the outcome a distributed according to the probability 
distribution p{a) . This measurement can be realized by 
applying an appropriate unitary operation JJ a on A to- 
gether with an ancilla, and subsequently observing the 
state of this ancilla while tracing over the resulting quan- 
tum system A' (see Fig. QJ. Considering the ancilla as a 
physical system, noted as a after the action of Ua, the 
joint state of a and B after the measurement is 



PaB 



da p(a)\a)(a\ <g> p%. 



(1) 



Given the block-diagonal structure of p a B, the quantum 
mutual entropy S(a:B) can be shown to coincide with the 
Holevo bound \aB = S(pb) — J da p(a)S(p%) 13]. Note 
that the situation here is fully equivalent to that where 
a is a classical preparer and B is a quantum preparation. 
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FIG. 1: Alice's measurement of system A of the bipartite state 
Pab, giving the result a. Equivalently, a denotes the internal 
state of a preparer who prepares system B according to a. 





FIG. 2: Entanglement-based scheme for CV-QKD. Alice's 
preparation is modelled by a measurement Ua on her half 
of an EPR pair. The channel is modelled by an unitary inter- 
action between mode B and Eve ancilla's E. Finally, Bob's 
measurement is modelled by Ub- 



Now, assume Bob measures his system B by means of 
the unitary Ub in a similar way as Alice. The resulting 
joint state is given by the diagonal density operator, 



Pab = da db p(a,b)\a)(a\® \b)(b\. 



(2) 



The quantum mutual entropy S(a:b) then simply re- 
duces to the Shannon mutual information I ao between 
the preparer's and the measurer's internal states. The 
Holevo bound on the accessible information then becomes 
a straightforward consequence of the strong subadditivity 
of von Neumann entropies, namely |l3| 



I ab = S(a:b) < S(a:bB r ) = S(a:B) = Xa i 



(3) 



Entanglement-based version of CV-QKD. The descrip- 
tion of any prepare-and-measure CV-QKD protocol us- 
ing its equivalent entanglement-based scheme is very con- 
venient for security analyses Q. Indeed, all protocols 
based on the Gaussian modulation of Gaussian states 
and homodyne (or heterodyne) measurement can be de- 
scribed in a unified way, see Fig. El Alice and Bob are 
assumed to share a bipartite quantum state pab, whose 
purification is given to Eve. Alice's measurement of A is 
equivalent to a preparation scheme where she randomly 
chooses a, according to p(a), and sends the state p a B in 
the quantum channel so that Bob receives the state p a B 
at the output. The unitary U a determines which mea- 
surement is performed: homodyne measurements, corre- 
sponding to the preparation of squeezed states, or het- 
erodyne measurements, corresponding to the preparation 
of coherent states (a then collectively denotes two real 
numbers). The maximal information that is accessible to 
Bob is given, in principle, by \aB — S(a:B). In prac- 
tice, however, Bob applies an homodyne (or heterodyne) 
measurement on B, giving b, so the actually extracted 
information is I a t = S(a:b). Since there are two possible 
encodings at Alice's station and two possible measure- 
ments at Bob's station, there exist four Gaussian proto- 
cols (three of them having been described in 0,@,|^|). 

Consider now that Eve performs a collective attack: 
she interacts individually with each signal pulse sent by 
Alice, stores her resulting probes in a quantum memory, 
and then applies a joint measurement over them at the 
end of the classical post-processing. As shown in 



her information is then limited by the Holevo bound 
XaE = S(pe) — J da p(a)S(p E ). Because Eve holds the 
purification of pab, this bound can be calculated from 
Pab- for example, when Alice and Bob apply the same 
measurement, it reads XaE — S(pab) — J da p(a)S(p B ). 
If pab is assumed to be Gaussian, then XaE can be di- 
rectly computed from jab 

Extremality of Gaussian states. To prove the optimal- 
ly of Gaussian collective attacks, we also need a very 
useful theorem, recently proven in [lo| . Let us sketch it 
here for bipartite states pab that have zero first-order 
moments. Let / be a function satisfying the properties 

1. continuity in trace norm: if \\p^ B — Pab\\i^ when 
n -> oo, then f{p%l) -> /(pab), 

2. invariance under local "Gaussification" unitaries: 

f{u G ®u G p%u G ®u G ) = f{ P %), 

3. strong super-additivity: f(pA t N B t N ) > 
f(pA lBl ) + ... + f( P AnB n ) with equality if 

PAx...nBx...n = PAiBx ® ■■■ ® PA N B N - 

Then, for every bipartite state pab with covariance ma- 
trix jab j we have that 



fiPAB) > f{ P %) 



(4) 



where p ( \ B is the Gaussian state with the same jab ■ The 
proof can be summarized by 



/(pab) = -^J(Pab) = Jjf(PA 1 ... N B 1 ... N ) 
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N 



- Jf^2f(PA k B k ) ^ f(p 



ab) 



(5) 



k=l 



where the superscripts label the assumptions used in each 
step, while pa 1 ._. n b 1 .._ n = U G ®U G p% U G ® U G . The 
* stands for the use of a central limit result for quantum 
states (see 0] for details). The Gaussification unitary 
U G is a passive operation, which can be realized with 
a network of beam splitters and phase shifters. Impor- 
tantly for what follows, the x and p quadratures of all 
modes are thus not mixed via Gaussification. 

Optimality of Gaussian attacks. The core of our proof 
now consists in combining this extremality result with the 
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entanglement-based version of CV-QKD supplemented 
with our physical model of measurement. In realistic pro- 
tocols, Alice and Bob do not achieve the Holevo bound, 
but only extract the mutual information I a i = S(a:b). In 
contrast, Eve is assumed to have no technological limita- 
tion, so, by collective attacks, she can attain the Holevo 
bound XaE = S(a:E). Then, using our notation, the 
achievable DR secret key rate reads 0] , 

K(pab) = S(a:b) - S(a:E) = S(a\E) - S{a\b). (6) 

The function K(pab) depends on the choice of the mea- 
surement done by Alice and Bob (and on the sifting if 
any), but does not depend on the purification of Pab- 
We now will prove that K(pab) satisfies the three condi- 
tions of the Gaussian extremality theorem. For this, we 
also need to use the extension of this function over 2N 
modes (A — Ai. jv, B = -Bi...at), namely 

K(p A b) = S(a:b) - S(a:E) = S(a\E) - S(a\b). (7) 

where Alice (Bob) do the same measurement on her (his) 
N modes, and Eve has the purification of pab- Note that 
Eq. JJJ restricts to Eq. JHJ when N = 1. 

i) Continuity: If \\pzs — Pab 111— e i using Ulhmann's 
theorem and well-known relations between the fidelity 
and trace distance |l6| . we can find a purification |^) A E 

(\*)abe) of Pa% (Pab) such that ||*g B - ^bbI|i< 
2y/e. Then, considering that partial trace can only de- 
crease the trace norm [l^, we have ||p^g — pa£;||i< 2-y/e 

and ||/9-r — Pafelli— Finally, the continuity of von 

Neumann entropies implies the continuity of K. □ 

ii) Invariance under local Gaussification unitaries: 
Applying the local Gaussification operation Uq ® Ug on 
the product states \i^)abe ( as shown in Fig.|3|for N = 2), 
we obtain the state \ip) abe- After the measurements on 
Alice's and Bob's sides, the state becomes paiE- But be- 
cause the (homodyne or heterodyne) measurement and 
the Gaussification operation can be interchanged, by ap- 
plying Uq <£> U G on modes a and b we recover the state 
PabE' which coincides with the state obtained by directly 
measuring \ip) without Gaussification. Since the two 
states p a i and pf^ are related by a local unitary op- 
eration Uq (8 Uq and since the mutual von Neumann 
entropies appearing in K(pab) are invariant under (any) 
local unitaries, we obtain the invariance of K(pab) under 
local Gaussification unitaries. □ 

Hi) Strong super- additivity: We will restrict the proof 
to two modes on each side, A\^ 2 and -Bi,2, the general- 
ization to N > 2 being straightforward. We have 

-^(PAi, 2 Bi, 2 ) = S(aia 2 \E) - S(a 1 a 2 \b 1 b 2 ) (8) 

where the conditional entropies can be expressed as 

S(a ia2 \E) = S(a 1 \a 2 E) + S(a 2 \a 1 E) + S(a 1 :b2\E) 
S(aia 2 \bib 2 ) = S(ai\bib 2 ) + S(a 2 \bib 2 ) - S(ai:a 2 \bib 2 ) 
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FIG. 3: Invariance under local "Gaussification" unitaries: Ug 
can be interchanged with the measurement Ua, then Uq 1 and 
Ug cancel each other. 

As a consequence of the strong sub- additivity of von Neu- 
mann entropies, we obtain the bound 

K > S( ai \a 2 E) - Sia^hb-^ + Sia^E) - S(a 2 \hb 2 ) 

V v ' V * ' 

>S(a 1 \A 2 B 2 E)-S(a 1 \b 1 ) >S(a 2 \A 1 B 1 E)-S(a 2 \b 2 ) 

(9) 

(using the fact that conditioning can only decrease the 
conditional entropy). The purification of A\B\ (A 2 B 2 ) 
being A 2 B 2 E (A\B\E), we obtain 

K{p Al . 2Bl , 2 ) > K{pa iBi ) + K{pa 2 b 2 )- (10) 

The additivity of K(pa 1 2 b x 2 ) is a straightforward con- 
sequence of the additivity of von Neumann entropies. □ 

Thus, using Eq. we have proved that for all bi- 
partite quantum states pab with covariance matrix jab , 
one has K(pab) > K(p ( j LB ). This means that K(p ( j LB ) 
is a lower bound on the secret key rate for any proto- 
col (even non-Gaussian) and collective attack (includ- 
ing non-Gaussian). The only requirement for this result 
to hold is that Alice and Bob use the second-order mo- 
ments of the quadratures in order to calculate this bound. 
In particular, for the Gaussian-modulation protocols of 
El [10 , Eve's optimal attack is a Gaussian attack, in 
which case the bound is saturated. Note that the above 
proof concerns DR, see Eq. @ , but its extension to RR is 
straightforward: one simply needs to interchange a <-> b 
and A «-> B. As an illustration, Fig. 0] shows the highest 
tolerable excess noise e as a function of the line transmis- 
sion T for the four Gaussian protocols (in DR and RR) 
and the optimal Gaussian collective attack. 

Coherent attacks represent the most powerful class of 
attacks Eve can perform: she let all the signal pulses sent 
by Alice interact with a large auxiliary system (quantum 
computer) , which she measures jointly at the end of the 
classical post-processing. Recently, it has been shown 
(for discrete- variable QKD) that, under some symmetries 
of the classical post-processing, the collective attacks are 
actually as efficient for Eve as the coherent attacks 0, 
9J. Taking for granted that this proof extends to CV- 
QKD, we conclude that our optimality proof of Gaussian 
attacks holds in full generality. 

Realistic implementations of CV-QKD never achieve 
the secret key rate K(pab) because reconciliation proto- 
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FIG. 4: Tolerable excess noise e as a function of the chan- 
nel transmission T at the limit of an infinite modulation for 
the four Gaussian protocols: squeezed states + homodyne 
measurement (solid line), squeezed states + heterodyne mea- 
surement (dashed line), coherent states + homodyne mea- 
surement (dotted line), and coherent states + heterodyne 
measurement (dot-dashed line). The curves vanishing at (or 
above) T = 0.5 correspond to DR, whereas those vanishing 
at T = refer to RR. 

cols are not 100% efficient. The actual key rate is 

K = f3S{a:b) - S(a:E) = S(a\E) - (3S(a\b) - (1 - (3)S(a). 

(11) 

where j3 € [0, 1] is the reconciliation efficiency. It is easy 
to prove that Eq. also satisfies the three conditions 
of the extremality theorem, so our conclusions remain 
unchanged. In the special case of (3 = 0, this means that 
Eve's accessible information XaE — S(a:E) is maximized 
for Gaussian states, so that Gaussian collective attacks 
are also optimal in this restricted sense. 

"Quantum" Bob. A theoretically interesting - though 
probably unrealistic - situation is the case where Bob 
reaches the Holevo bound XaB- This may be done by 
combining the use of quantum memory with a proper 
optimal post-processing at Bob's side. The "ultimate" 
available secret key rate then reads 

K = S(a:B) - S{a:E) = S{a\E) - S(a\B) (12) 

It again satisfies the three above conditions, so it is lower 
bounded by the Gaussian attack. 

Conclusion. We have presented a unified analysis of all 
known QKD protocols based on Gaussian modulation of 
coherent (or squeezed) states by Alice and homodyne (or 
heterodyne) detection by Bob, for the DR and RR ver- 
sions of one-way reconcilation. This cntanglcment-based 
model of CV-QKD combined with a physical representa- 
tion of measurement gives a very simple way of writing 



the secret key rates in terms of mutual von Neumann 
entropies involving quantum systems (including the pre- 
parer and the measurer). Then, exploiting a recent result 
on the extremality of Gaussian states, we have demon- 
strated that the optimal collective attack against all these 
protocols is a Gaussian operation. It is then sufficient to 
check the security against Gaussian attacks, which are 
completely characterized by the covariance matrix ^ab 
estimated by Alice and Bob. This result appears to be 
quite general as it holds for realistic protocols (with fi- 
nite reconciliation efficiency) as well as for ideal protocols 
(where Bob has a quantum memory and extracts the en- 
tire accessible information). Provided that can be 
adapted to CV, it even extends to the full unconditional 
security of CV-QKD against coherent attacks. 

Note added: The optimality of Gaussian collective at- 
tacks has been independently proved using different tech- 
niques in |l7j . 
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